This visitor submit was authored by Cisco Designated VIP Daniel Dib, CCIE #37149, CCDE #20160011.
Recently I used to be describing on Twitter the wonderful colleagues I’m attending to work with on a venture, with CCIE certifications in Enterprise Infrastructure, Data Center, Wireless, and a CCDE certification. Someone responded to me, “Who is responsible for security?” My response was, “We all are.”
While we nonetheless positively want individuals who focus on safety (there is no such thing as a doubt about that), it’s now the job of everybody to contemplate safety of their community designs. You have to contemplate safety inside all community architectures. It is not sufficient to place a firewall on the perimeter and name it a day.
Key concerns for safety in community design
Regardless of whether or not it’s a LAN, information heart, or WAN, what are a few of the key concerns for safety in community design? Let’s take a look on the CCDE v3.0 Written examination blueprint.
Under network safety design and integration, we have now:
- Segmentation
- Network entry management
- Visibility
- Policy enforcement
- CIA triad
- Regulatory compliance
Before we begin diving into these CCDE examination subjects, let me describe the method of designing a community—and the way safety can by no means be an afterthought. So, what differentiates community design from a foul one? Is it how redundant it’s? Is it the variety of firewalls? Is it the variety of segments? Is it how briskly it converges?
No. The solely factor that differentiates community design from a foul one is whether or not it meets the necessities. A community design should all the time meet the necessities. Not assembly the community’s necessities is clearly unhealthy. But overdelivering can be unhealthy, and is typically known as “gold plating.”
So, how have you learnt what the community necessities are? Usually, step one in a community design (and maybe a very powerful one!) is gathering the necessities. Once the necessities are gathered, I typically doc them in what is called a Customer Requirements Document (CRD). The doc contains solutions to a myriad of questions masking enterprise necessities, useful necessities, technical necessities, and operational necessities.
When creating this doc, you will need to perceive what sort of group I’m coping with. What is a typical person? What sort of site visitors flows have they got? How do they use the web? What sort of VPNs have they got? Already, at this part, I want to grasp what the client and community appear like to outline what the safety necessities are. Now let’s return to the CCDE blueprint and dive into every space of community safety design and integration, in addition to how they have an effect on a community’s design.
Network Segmentation
Network segmentation is sweet, or so that you’ve heard. But what is segmentation? Is it sufficient to have totally different VLANs? While utilizing totally different VLANs can present advantages comparable to smaller flooding and failure domains, segmentation normally is used to explain two networks that don’t have direct entry to one another. There are two types of segmentation; macro segmentation and micro segmentation.
Macro-Segmentation
Macro-segmentation is used to explain networks which might be walled off from one another. For instance, (1) a visitor community that’s separate from the enterprise customers’ community, (2) a administration community that’s separate from the enterprise customers, and (3) an IoT community that’s remoted from all the pieces else. Macro-segmentation is commonly applied utilizing Virtual Routing and Forwarding (VRFs) and/or firewalls.
Micro-Segmentation
There can also be micro-segmentation, which describes learn how to filter inside a macro phase. For instance, perhaps customers shouldn’t have the ability to talk with one another. Should a printer have the ability to talk with one other printer? Should one air flow system have the ability to talk with one other? Normally they’ll, since they belong to the identical phase, however you could wish to prohibit it, which might require micro segmentation. This would typically be applied utilizing some type of Software Defined Networking (SDN) expertise or by putting in a shopper on computer systems and servers, and so on.
There are additionally in fact many different kinds of segments, comparable to a Demilitarized Zone (DMZ), the place you host public companies which might be reachable from the web.
Why do we want segmentation, although? Well, do you? What did the necessities say? Why we create segmentation comes from the necessities. For instance, a community requirement might state, “Guest users may only use the internet and must not have access to any internal networks.” With a requirement like that, you would wish to create segments as a result of visitor customers ought to be separated from enterprise customers. If there may be one other requirement, comparable to, “Enterprise users must not have access to each other,” then most certainly you want some type of micro segmentation. The objective of segmentation is to have the ability to management what site visitors is allowed between segments.
From a safety perspective, it’s also essential to limit lateral motion. If somebody hacks one among our internet servers, we don’t need them to have entry to, for instance, our area controller. That is why we don’t permit any site visitors from the DMZ to our greater safety zones, comparable to the place we preserve the area controller.
Network Access Control
Let’s say you plug in your laptop to a change port. With no authentication, you’ve gotten full entry to different customers, your administration community, and the web. Is this good safety? We might argue that it’s unhealthy, however what did the necessities say? When implementing community entry management, we should in fact contemplate the safety necessities, but additionally the benefit of use. If the community turns into too sophisticated and complicated to make use of, and error-prone, then our design has failed, even when we met the necessities. What is community entry management?
Many types of community entry management come to thoughts. The most blatant one maybe is to implement 802.1X in your LAN. This is a mechanism that authenticates customers, and optionally their laptop, earlier than permitting them entry to the LAN. This will be within the type of offering credentials, and/or utilizing certificates. Depending on the person, they could get totally different ranges of entry to the community. This can for instance leverage Dynamic ACLs (DACL).
There are in fact many different strategies, comparable to utilizing firewalls to implement guidelines for what site visitors can movement between segments. The community could use a proxy, comparable to Umbrella Secure Internet Gateway (SIG), to implement what’s allowed to be used on the web. This will be enforced within the community or on the shopper itself.
There may additionally be issues which might be so apparent that you simply didn’t even contemplate them. What about placing community gear in a locked room to stop folks from accessing them or shutting down switchports so that folks can’t hook up with random ports? Network entry management will be something from bodily safety, to coverage, and way more.
Visibility
What does visibility should do with safety? Growing up within the ’80s and being named Daniel, The Karate Kid was one among my favourite motion pictures. In The Karate Kid Part III, there may be this quote from Terry Silver, the principle antagonist in that film. He says, “A man can’t see, he can’t fight.” If your group is blind to what’s going on within the community, how are you going to forestall any threats? You can’t! You want visibility to grasp site visitors flows and what’s moving into your community.
How do you get visibility? That’s one massive and complex matter! Did you understand that the majority site visitors, at the very least to the web, is encrypted? This signifies that it’s getting an increasing number of troublesome to see what site visitors we have now in our networks and therefore, learn how to shield towards potential threats. What can we do? We can attempt to glean data from the packets by DNS requests (if not encrypted), IP addresses (the place the packets are going), what ports the packet is utilizing, patterns within the packet, comparable to measurement and frequency, and different issues. There are well-known prefixes, comparable to when utilizing Microsoft 365 for instance, the place we are able to make a professional guess about what the site visitors is that if we acknowledge the prefix. To get visibility, we frequently want some type of third-party product that may take data from the community, for instance, within the type of Deep Packet Inspection (DPI), NetFlow, packet faucets, packet mirroring, and so on.
To get full visibility, most certainly, you’ll have to set up one thing on the shopper. The shopper is the one place the place you’ll be able to see unencrypted packets — until you might be decrypting the customers’ packets utilizing Transport Layer Security (TLS) inspection, in fact.
There are many different methods of getting visibility, comparable to utilizing proxies, firewalls, community entry management, and Syslog. The most troublesome half, contemplating the wealth of knowledge, is knowing what is definitely happening and how one can forestall assaults such because the exfiltration of your information. If somebody logs in from a location the place you don’t have any workplace they usually switch a lot of information, wouldn’t you wish to learn about it? Ideally, visibility ought to get you insights into incidents comparable to these.
Policy Enforcement
How can we implement our insurance policies, just like the requirement that customers can’t speak to one another? How is coverage enforcement totally different from community entry management? Network entry management pertains extra to giving entry to the community itself whereas coverage enforcement is about stopping entry when you have already got entry.
There’s fairly some overlap right here, although. Let’s break the phrase down into its elements. Policy is the intent of our community; the interpretation of our necessities right into a algorithm. Enforcement is to make sure that our coverage will get adhered to. To have the ability to implement one thing, packets should cross by a tool that may resolve if the packet adheres to the coverage or not.
What we want are choke factors. When you journey to a different nation, they’ve a border. They additionally management your passport earlier than admitting you. This is coverage enforcement at a choke level. This is identical factor that we do in our networks. Traditionally, all our site visitors went to some sort of headquarters or information heart and handed by a giant fats firewall. Most organizations moved away from this design, because it created a less-than-optimal person expertise. But what are a few of the chokepoints or potential coverage enforcement nodes that we have now at this time? There are many, so let me listing a couple of of them.
- Firewalls
- Proxies
- IDS/IPS (typically built-in with the FW)
- Switches
- Routers
- Wireless LAN controllers
- Applications on shoppers and servers
There are many locations we are able to implement insurance policies. The predominant problem is most frequently on getting visibility, although. You can’t implement a coverage when you don’t know what’s within the packet.
The different problem is commonly round implementation. If you’ve gotten a firewall in each department, and you’ve got 1000 branches, how straightforward is it to handle this? It would come all the way down to how standardized your design is. This is why many organizations are actually utilizing cloud proxies to have fewer choke factors and make it extra manageable. The different factor I typically see in community design is organizations don’t know what their coverage is, what apps and techniques they’ve, or what ports they use and the site visitors movement. You can’t write a coverage when you don’t have sufficient data to categorise what’s allowed or not.
CIA Triad
The CIA triad feels like some bizarre mixture of the US Central Intelligence Agency and a Japanese mafia. The excellent news is that this isn’t in any respect what it’s.
CIA in a community design is:
- C – Confidentiality
- I – Integrity
- A – Availability
Confidentiality is about maintaining the group’s information non-public or secret. All information ought to be non-public, proper? What did the necessities say? A visitor community at Starbucks may have totally different necessities than the Department of Defense (DoD) extremely labeled networks. This is sensible, proper?
Integrity is about making certain the integrity of the information. How have you learnt the data I despatched you actually got here from me? What if my packet was altered earlier than it reached you?
My information could also be safe and personal, and we ensured the packets couldn’t be tampered with, but when my packet doesn’t attain you, what good does it do? A safe system should even be out there.
Let’s take a better take a look at the elements of the CIA triad. Then I’ll allow you to in on how this all ties collectively.
Confidentiality is about maintaining information non-public or secret. There are many potential threats right here, comparable to accessing information in transit if it’s not encrypted, utilizing weak algorithms, key loggers, attackers shifting laterally after taking up an IoT system, and so forth. The predominant instruments for maintaining the information secret are having correct entry controls, comparable to utilizing robust passwords, implementing Multi-Factor Authentication (MFA), utilizing least privilege entry, and encrypting the information — at relaxation and in transit. There are additionally different measures, comparable to avoiding shoulder browsing, locking the pc, and stopping USB-device entry to the pc.
Integrity is about making certain that the information has not been tampered with. This might occur to information that’s in transit or at relaxation. Having unauthorized entry to information is unhealthy sufficient, however what in the event that they had been additionally capable of alter the information? Imagine somebody will get entry to the system that manages your payments and redirects a cost to themselves. The predominant safety mechanisms, past entry management, are digital signatures comparable to certificates, checksums, and message digests (additionally known as hashes). Certificates are used to confirm the id of the sender. Checksums and message digests are used to confirm, utilizing cryptography, that the information has not been altered.
Availability is commonly missed from a safety perspective. Having the information unavailable is a safety menace as effectively, although. Ensuring availability comes all the way down to having a correct design in place that meets the supply necessities. This entails having redundant techniques and paths, however along with redundancy, you even have to contemplate resiliency. What when you have redundant switches, routers, and firewalls, however all of them use the identical energy supply? What occurs when you’ve gotten an influence outage? I’ve labored with environments the place they used each AC and DC energy in addition to UPS and diesel turbines to stop situations the place redundant elements go down with the opposite elements. You even have to contemplate this from a transport perspective. Having a single transport, such because the web, places you at higher danger of constructing your techniques unavailable.
From an assault perspective, the principle menace to availability is that if your techniques get attacked and the attacker crashes the techniques. More generally although, you’d see one thing like a DDoS assault, the place your techniques are flooded with site visitors. Someone might additionally attempt to ship huge quantities of knowledge into an software, comparable to a database, to have the system crash. Having your information encrypted by a crypto locker would even be a menace to your availability.
Protecting your self contains having design, the place you’ve gotten thought-about the supply necessities and what transports to make use of, in addition to applied safety techniques that may filter out threats. Take IDS/IPS, for instance. Some threats, comparable to DDoS, are troublesome to deal with by yourself. You could must depend on your ISP for cover in such situations.
Regulatory Compliance
What was it Huey Lewis and the News mentioned? It’s HIPAA to be sq.? Resistance is futile; you can be assimilated. I don’t recall whether or not this was from Star Trek or my PCI auditor. Joking apart, regulatory compliance is essential, in fact. Regulatory compliance is there to make sure that organizations dwell as much as the requirements which might be required to maintain our information protected. The two most well-known ones are most likely Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). HIPAA is used to assist preserve our medical data protected, for instance. PCI DSS is used to create protected funds, so our bank card numbers don’t get leaked.
When it involves regulatory compliance, there are lots of necessities that include them. You have to satisfy the necessities, and there could also be auditing concerned to make sure that you’re doing so. The necessities could embody issues like segmentation, encryption, entry management, and extra. While working with regulatory compliance will be tedious, time-consuming, and typically really feel like you might be designing for issues that ought to be apparent, they’re there to make sure that organizations meet the minimal requirements when working with delicate issues comparable to medical data and cost data.
This weblog submit ended up a bit of longer than I anticipated, however I needed to offer you perception into simply how a lot there may be to contemplate in community design, or any design on the subject of safety. Even when you don’t focus on safety, it ought to nonetheless be high of thoughts in all the pieces you do. Keep in thoughts although, any design strives to fulfill the necessities, nothing extra, nothing much less.
 
If you take pleasure in speaking about community design or are finding out for the CCDE certification, be a part of me within the CCDE Certification Community on the Cisco Learning Network. Check out this CCDE: Ask about something dialogue, the place you will get your CCDE cert questions answered instantly by Cisco. Thanks for sticking round and see you subsequent time!
Ask questions, share concepts, and join with the CCDE Community.
About Daniel Dib
Daniel Dib, CCIE #37149, CCDE #20160011, is a senior community architect at Conscia Netsafe. He works with creating scalable, modular, and extremely out there community designs that meet enterprise wants. Daniel began out in implementation and operations and acquired his CCIE in 2012. In May 2016, he turned the second particular person in Sweden to get CCDE licensed.
He typically acts as a subject knowledgeable for his clients with deep experience in routing, switching, multicast, and quick convergence. He is an energetic particular person within the networking neighborhood and believes in serving to folks attain their full potential. He writes technical articles, and blogs and holds member-led research periods for the members of the Cisco Learning Network.
Follow Cisco Learning & Certifications
Twitter | Facebook | LinkedIn | Instagram
Share: